How to check devices using SMTP relay server (Exchange)

Subscribe to my newsletter and never miss my upcoming articles

I am working on an Office 365 migration and trying to decommission the on premises Exchange Server. The mail server has been in production for several years and has lots of devices using it as a relay.

I needed to dive into more detail on what specific hosts were actually using it. Below is a script that will check the Exchange logs and produce a report of all the devices using the server as a relay.

Here is the script-

<#
.SYNOPSIS
Script to parse through the smtp protocol logs and list out the unique IPs and DNS names

.DESCRIPTION 
Outputs a list of the IPs and DNS names of the Unique IPs found in the SMTP Protocol Logs

.EXAMPLE
.\GetSMTPLogUnique.ps1 -dir "F:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive"

#>
[CmdletBinding()]
Param(
    [Parameter(Mandatory=$true)][string] $dir)
#if you want to exclude IPs (like other Exchange Servers in your org) put them here.
$Exclude=@("x.x.x.x")

#Get all the logs in the specified Dir
$files=Get-ChildItem $dir -Filter *.log
#loop through the files unless the Dir is empty
if($files -ne $null){
    $logs=@()
    $output=@()
    foreach ($file in $files) {
        #grab the file, skip any lines that begin with a #
        #split the log by comma and take column 5 (default for client IP
        #then split the filed by : and take jsut the first element, this is the IP of the client
        $logs+=get-content $file.FullName | ?{$_ -notmatch "^#"} | % {$_.Split(",")[5]} | %{$_.Split(":")[0]}
    }
    #sort the logs and only keep the Unique IPs
    $logs= $logs | sort-object | get-unique
    #Loop through the IPs and resolve the name from DNS
    #and set up an object for output
    foreach($log in $logs){
        if($Exclude -notcontains $log){
            $dns=$null
            Write-Verbose "Working on $log"
            $objlog = new-object system.object
            $objlog | add-member -type NoteProperty -name IP -value $log
            $dns=[System.Net.Dns]::GetHostEntry($log).HostName
            #GetHostEntry will return the ip back if it can't resolve the IP to a name
            #so use the resolved name if you don't get the IP back
            if($dns -ne $log){
                $objlog | add-member -type NoteProperty -name DNS-Name -value $dns
            } else {
                #if it doesn't resolve use "Unknown" for the name
                $dns="Unknown"
                $objlog | add-member -type NoteProperty -name DNS-Name -value $dns
            }
            Write-Verbose "Got this from DNS $dns"
            #push the info into our output var
            $output+=$objlog
        }
    }
    $output
} else {
    #if the DIR is empty tell me
    Write-Host "You log Directory ($dir) appears to be empty of log files."
    Write-Host "Check your path and try again."
    Write-Host "Also ensure that your Exchange server Protocol Logging is enabled."
}

No Comments Yet